Lucene search
+L

964 matches found

Cvelist
Cvelist
added yesterday18 views

CVE-2026-12393 WPS Bookings for WooCommerce < 3.11.7 - Subscriber+ Arbitrary Booking Order Cancellation via IDOR

The WPS Bookings for WooCommerce WordPress plugin before 3.11.7 does not verify that a booking order belongs to the requesting user before cancelling it, allowing any authenticated user, such as a Subscriber or Customer, to cancel and void other customers' booking orders...

0.00132EPSS
Exploits0References1
CVE
CVE
added yesterday11 views

CVE-2026-12393

The vulnerability CVE-2026-12393 affects the WPS Bookings for WooCommerce WordPress plugin prior to version 3.11.7. The root cause is that the plugin does not verify that a booking order belongs to the requesting user before cancellation, enabling any authenticated user (e.g., Subscriber/Customer...

5.4CVSS6.1AI score0.00132EPSS
Exploits0References1
EUVD
EUVD
added yesterday6 views

EUVD-2026-45148

The WPS Bookings for WooCommerce WordPress plugin before 3.11.7 does not verify that a booking order belongs to the requesting user before cancelling it, allowing any authenticated user, such as a Subscriber or Customer, to cancel and void other customers' booking orders...

5.4CVSS5.3AI score0.00132EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added yesterday4 views

CVE-2026-12393

The WPS Bookings for WooCommerce WordPress plugin before 3.11.7 does not verify that a booking order belongs to the requesting user before cancelling it, allowing any authenticated user, such as a Subscriber or Customer, to cancel and void other customers' booking orders...

5.3AI score0.00132EPSS
Exploits0References1
CVE
CVE
added 3 days ago13 views

CVE-2026-52870

The MCP Python SDK (package mcp on PyPI) has a vulnerability in versions 1.23.0–1.27.1 where default handlers installed by server.experimental.enable_tasks() for tasks/list, tasks/get, tasks/result, and tasks/cancel only operate on task identifiers and do not record the session that created each ...

7.6CVSS6.1AI score0.00227EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/07/10 6:35 p.m.5 views

CVE-2026-55476 Snipe-IT: Unauthorized Asset Request Cancellation via Unguarded cancel_by_admin Parameter

Snipe-IT is an IT asset/license management system. Prior to 8.6.0, POST /account/request/itemType/itemId/cancelbyadmin?/requestingUser? accepts cancelbyadmin as a URL path segment without sufficient authorization, allowing an authenticated user to supply a victim user ID and silently cancel that...

5.3CVSS6.1AI score0.002EPSS
Exploits0References6
CVE
CVE
added 2026/07/10 6:35 p.m.11 views

CVE-2026-55476

Snipe-IT (asset/license management) prior to v8.6.0 is vulnerable: POST /account/request/{itemType}/{itemId}/{cancel_by_admin}/{requestingUser} accepts cancel_by_admin as a URL path segment, enabling an authenticated user to silently cancel another user’s pending asset requests. Affects versions ...

5.3CVSS6.1AI score0.002EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/07/10 6:35 p.m.36 views

CVE-2026-55476 Snipe-IT: Unauthorized Asset Request Cancellation via Unguarded cancel_by_admin Parameter

Snipe-IT is an IT asset/license management system. Prior to 8.6.0, POST /account/request/itemType/itemId/cancelbyadmin?/requestingUser? accepts cancelbyadmin as a URL path segment without sufficient authorization, allowing an authenticated user to supply a victim user ID and silently cancel that...

5.3CVSS0.002EPSS
Exploits0References4
NVD
NVD
added 2026/07/10 9:16 a.m.6 views

CVE-2026-11992

The Easy Appointments plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.12.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with author-level...

4.3CVSS0.0028EPSS
Exploits0References9
EUVD
EUVD
added 2026/07/10 7:48 a.m.6 views

EUVD-2026-42850

The Easy Appointments plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.12.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with author-level...

4.3CVSS6.1AI score0.0028EPSS
Exploits0References9
NVD
NVD
added 2026/07/10 4:17 a.m.8 views

CVE-2026-5069

The Fluent Forms plugin for WordPress is vulnerable to incorrect authorization via the 'subscriptionid' parameter in versions up to, and including, 6.2.1. This is due to insufficient ownership authorization checks in the payment cancellation AJAX flow. This makes it possible for authenticated...

5.4CVSS0.00176EPSS
Exploits0References2
EUVD
EUVD
added 2026/07/10 2:30 a.m.8 views

EUVD-2026-42778

The Fluent Forms plugin for WordPress is vulnerable to incorrect authorization via the 'subscriptionid' parameter in versions up to, and including, 6.2.1. This is due to insufficient ownership authorization checks in the payment cancellation AJAX flow. This makes it possible for authenticated...

5.4CVSS5.9AI score0.00176EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/07/10 2:30 a.m.7 views

CVE-2026-5069

The Fluent Forms plugin for WordPress is vulnerable to incorrect authorization via the 'subscriptionid' parameter in versions up to, and including, 6.2.1. This is due to insufficient ownership authorization checks in the payment cancellation AJAX flow. This makes it possible for authenticated...

5.4CVSS5.9AI score0.00176EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/10 2:30 a.m.33 views

CVE-2026-5069 Fluent Forms <= 6.2.1 - Incorrect Authorization to Authenticated (Subscriber+) Arbitrary Subscription Cancellation via 'subscription_id'

The Fluent Forms plugin for WordPress is vulnerable to incorrect authorization via the 'subscriptionid' parameter in versions up to, and including, 6.2.1. This is due to insufficient ownership authorization checks in the payment cancellation AJAX flow. This makes it possible for authenticated...

5.4CVSS0.00176EPSS
Exploits0References2
CVE
CVE
added 2026/07/10 2:30 a.m.11 views

CVE-2026-5069

Vulnerability summary (CVE-2026-5069) : The Fluent Forms plugin for WordPress up to version 6.2.1 is vulnerable to incorrect authorization via the subscription_id parameter in the payment cancellation AJAX flow. The root cause is insufficient ownership authorization checks, allowing authenticated...

5.4CVSS5.9AI score0.00176EPSS
Exploits0References2
Patchstack
Patchstack
added 2026/07/09 1:51 p.m.7 views

WordPress Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin <= 6.2.1 - Incorrect Authorization to Authenticated (Subscriber+) Arbitrary Subscription Cancellation vulnerability

Incorrect Authorization to Authenticated Subscriber+ Arbitrary Subscription Cancellation vulnerability discovered by Fernando Mecozzi in WordPress Plugin FluentForm versions = 6.2.1...

5.4CVSS5.9AI score0.00176EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/07/09 9:31 a.m.10 views

CVE-2026-9028

Technical details are not publicly available in the provided documents. Monitor for updates.

5.3CVSS6AI score0.00288EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/07/09 9:31 a.m.31 views

CVE-2026-9028 CorvusPay WooCommerce Payment Gateway <= 2.7.4 - Missing Authorization to Unauthenticated Arbitrary Order Cancellation via 'order_number' Parameter

The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.7.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers t...

5.3CVSS0.00288EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/07/09 9:31 a.m.7 views

CVE-2026-9028

The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.7.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers t...

5.3CVSS6AI score0.00288EPSS
Exploits0References9
SUSE CVE
SUSE CVE
added 2026/07/03 3:5 a.m.9 views

SUSE CVE-2026-53097

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: fix use-after-free bugs in mt7996macdumpwork When the mt7996 pci chip is detaching, the mt7996crashdata is released in mt7996coredumpunregister. However, the work item dumpwork may still be running or pending,...

5.8AI score0.00168EPSS
Exploits0References4
Rows per page
Query Builder